Endpoint Detection and Response
2025-01-01

Overview#

Endpoint Detection and Response (EDR) captures host behavior, detects malicious activity, and enables responders to contain threats. Modern EDR platforms combine behavioral analytics, threat intelligence, and remote response actions such as isolation and memory capture.

Core objectives#

  • Provide high-fidelity endpoint telemetry across workstations, servers, and cloud workloads.
  • Detect tactics like credential theft, persistence, lateral movement, and ransomware execution.
  • Enable rapid response: isolate hosts, kill processes, remove persistence, and collect forensics remotely.
  • Integrate with SIEM/SOAR to enrich alerts and orchestrate containment.

Implementation notes#

  • Ensure agent coverage targets (e.g., >95%) with health monitoring for outdated versions or disabled sensors.
  • Tune detections using baselines and threat-informed hypotheses; map rules to MITRE ATT&CK for coverage tracking.
  • Pre-approve response actions (isolation, registry edits, script execution) with legal/IT to avoid delays during incidents.
  • Protect EDR consoles with strong authentication and least-privilege roles; log administrator actions.

Operational signals#

  • Leading indicators: agent deployment/health rates, detection-to-response latency, and false-positive ratio of new rules.
  • Lagging indicators: successful attacker dwell time on endpoints, ransomware impact before containment, or incidents traced to missing agents.
  • Feedback loops: periodic rule tuning, purple-team exercises, and post-incident updates to detection content.

Runbook essentials#

  • Host isolation workflow: confirm signal → isolate host → notify user/helpdesk → collect volatile data → remediate and restore network access.
  • Credential theft hunt: monitor LSASS access patterns, anomalous Kerberos tickets, and suspicious token creation; reset affected credentials.
  • Sensor health response: auto-redeploy or alert when agents are uninstalled/disabled; verify coverage during onboarding.
  • Endpoint hardening, patch management, and application control reduce noise and improve detection efficacy.
  • Threat hunting leverages EDR telemetry to test hypotheses and find stealthy activity.
  • Digital forensics relies on EDR data for timelines and artifact collection.